By John L. Krieger, Member, Dickinson Wright’s Intellectual Property and Entertainment and Sports Departments
Privacy laws are becoming more consumer-focused and companies that collect personally identifiable information about their consumers, and who fail to tell those customers what they are doing with that information, are beginning to find themselves in uncomfortable situations. New regulations aimed at protecting people’s privacy are on the rise; defining what constitutes personally identifiable information; and defining what encryption is and when it should be used. Moreover, with the growth of Internet commerce, businesses are gathering even more particularized information about their customers’ buying habits and personal tastes, which is potentially even more valuable. Simply put, companies need to know what their obligations are, particularly if they have an Internet presence and are gathering personally identifiable information about their customers by way of a website.
If a business collects personally identifiable information—which is currently defined in most states as a combination of someone’s first initial, last name, and an account number, such as a credit card, bank account, or driver’s license number—then it has an obligation to keep that information safe and tell customers what they are doing with it by way of an informative and accurate privacy policy.
For example, Nevada, with one of the strictest encryption standards in the nation, requires companies to adopt encryption technology for the personal information the company gathers and stores; and it must use a recognized standard of encryption to do so. What makes Nevada’s law particularly troublesome is that it applies to “any” “personal information,” which could be interpreted broadly to encompass any one element of the “personal information” combination identified above. Furthermore, because the law applies to business “in the State,” companies located outside of Nevada should evaluate the nature and the quantity of business conducted within Nevada.
Although the laws regarding the specifics of handling a data breach are unclear, the sooner consumers are notified a breach occurred, the quicker they can act to protect themselves (e.g. change account numbers, notify banks, etc.) and the less liability the company will have for the breach. It is important to plot out an appropriate response and notification process.
To protect your company, it is imperative good data protection policy and safeguards are in place, and to consult with the appropriate legal counsel and IT personnel to ensure that all relevant data protection issues facing the company have been addressed, and are included in privacy policies and/or employee handbooks. All data collection sources need to be considered (e.g., smart phones and laptops), particularly those sources that “feed” information back to the company’s servers. Companies would do well to modify their practices and update their internal policies to cover stored as well as transmitted data.
When creating a data security compliance strategy, it is important to perform cybersecurity and cyber-liability audits, usually conducted by both the company’s IT and legal counsel, to ensure that all appropriate policies are in place. Keeping encryption and anti-virus spyware software and firewalls up to date, and use of strong passwords is also necessary, along with creating and enforcing computer usage policies.
Attorneys who practice in the area of privacy law can be especially helpful in assisting with creating non-disclosure agreements—to be signed by the company’s employees—and security policies, as well as conducting on-site education programs/seminars and audits. Knowing the dangers of a data breach and taking appropriate measures to protect personally identifiable information is critical.